opencode/specs/17-permission-responded-bounds.md

Permission responded bounds

Bound the in-memory responded set in PermissionProvider

---

Summary

packages/app/src/context/permission.tsx uses a module-local responded = new Set<string>() to prevent duplicate auto-responses for the same permission request ID. Entries are never cleared on success, so the set can grow without bound over a long-lived app session.

This spec caps the size of this structure while preserving its purpose (dedupe in-flight/recent IDs).

---

Scoped files (parallel-safe)

• packages/app/src/context/permission.tsx

---

Goals

• Prevent unbounded growth of responded
• Keep dedupe behavior for recent/in-flight permission IDs
• Avoid touching other modules

---

Non-goals

• Changing permission auto-accept rules
• Adding persistence for responded IDs

---

Proposed approach

• Replace Set<string> with an insertion-ordered Map<string, number> (timestamp) or keep Set but prune using insertion order by re-creating.
• Add a cap constant, e.g. MAX_RESPONDED = 1000.
• On respondOnce(...):
  • insert/update the ID (refresh recency)
  • if size exceeds cap, delete oldest entries until within cap
• Keep the existing .catch(() => responded.delete(id)) behavior for request failures.

Optional: add TTL pruning (e.g. drop entries older than 1 hour) when inserting.

---

Implementation steps

1. Introduce MAX_RESPONDED and a small pruneResponded() helper

2. Update respondOnce(...) to refresh recency and prune

3. Keep failure rollback behavior

---

Acceptance criteria

• responded never grows beyond MAX_RESPONDED
• Auto-respond dedupe still works for repeated events for the same permission ID in a short window

---

Validation plan

• Manual:
  • Simulate many permission requests (or mock by calling respondOnce in dev)
  • Confirm the structure size stays capped
  • Confirm duplicate events for the same permission ID do not send multiple responses